faulTPM: Exposing AMD fTPMs’ Deepest Secrets

[Submitted on 28 Apr 2023 (v1), last revised 2 May 2023 (this version, v2)]

Download PDF

Abstract: Trusted Platform Modules constitute an integral building block of modern
security features. Moreover, as Windows 11 made a TPM 2.0 mandatory, they are
subject to an ever-increasing academic challenge. While discrete TPMs – as
found in higher-end systems – have been susceptible to attacks on their exposed
communication interface, more common firmware TPMs (fTPMs) are immune to this
attack vector as they do not communicate with the CPU via an exposed bus. In
this paper, we analyze a new class of attacks against fTPMs: Attacking their
Trusted Execution Environment can lead to a full TPM state compromise. We
experimentally verify this attack by compromising the AMD Secure Processor,
which constitutes the TEE for AMD’s fTPMs. In contrast to previous dTPM
sniffing attacks, this vulnerability exposes the complete internal TPM state of
the fTPM. It allows us to extract any cryptographic material stored or sealed
by the fTPM regardless of authentication mechanisms such as Platform
Configuration Register validation or passphrases with anti-hammering
protection. First, we demonstrate the impact of our findings by – to the best
of our knowledge – enabling the first attack against Full Disk Encryption
solutions backed by an fTPM. Furthermore, we lay out how any application
relying solely on the security properties of the TPM – like Bitlocker’s TPM-
only protector – can be defeated by an attacker with 2-3 hours of physical
access to the target device. Lastly, we analyze the impact of our attack on FDE
solutions protected by a TPM and PIN strategy. While a naive implementation
also leaves the disk completely unprotected, we find that BitLocker’s FDE
implementation withholds some protection depending on the complexity of the
used PIN. Our results show that when an fTPM’s internal state is compromised, a
TPM and PIN strategy for FDE is less secure than TPM-less protection with a
reasonable passphrase.

Submission history

From: Christian Werling [view email]


Fri, 28 Apr 2023 09:34:58 UTC (3,474 KB)


Tue, 2 May 2023 09:05:53 UTC (3,474 KB)

Read More

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.